Which of the following is not very useful in assessing the security of acquired software?
A. Third-party vulnerability assessments
B. The NIST's National Software Reference Library
C. The reliability and maturity of the vendor
D. In-house code reviews
Eit
